Security Automation and Orchestration

Twenty Four Hours To Build An ExtraHop App For Phantom

This is a guest blog post from Vince Stross, a Senior Security Engineer at ExtraHop, reflecting on the process of integrating ExtraHop Reveal(x) security analytics with Phantom’s simple, powerful automation and orchestration capabilities.

Successful automation and orchestration of security processes require having the right data at the right time and doing the right thing with it. As a Security Engineer at ExtraHop, I’m continually exposed to the ways security teams are using our product to discover and investigate potential security threats. ExtraHop provides accurate, contextualized, timely insight about security threats — but someone still has to act on that information. By integrating with Phantom to automate security workflows, our shared solution has the potential to save security teams a great deal of time and money. These advantages will be realized by allowing SecOps teams to automate formerly manual processes such as quarantining endpoints based on suspicious behavior, or tagging devices for deeper monitoring when they start interacting with sensitive data or assets.

What It’s Like To Build A Phantom App (Spoiler alert: It’s Easy)

When I sat down to write the ExtraHop Phantom app, I decided to keep it simple at first, just to make sure I understood how it worked. I had a little initial trepidation since Phantom’s main language is Python, which is not my first language. After using their App Development Wizard to build a skeleton app, however, I was pleasantly surprised at the simplicity of the process. Considering the fact that once you’ve got a skeleton app setup, you can download the code and pore over it line-by-line if you want made it much easier for me to get up to speed on how their system works.

The second pleasant surprise was how easy it was to connect our APIs together. ExtraHop’s REST APIs are easy to use and adhere to best practices, but that’s not the case with all APIs. When I set up our Phantom app, I pointed our data cannon at their API and it just worked. That’s a best-case scenario.

Ultimately, I was able to build a simple, useful proof-of-concept Phantom app in under 24 hours, including the time it took me to find and peruse their documentation and bone up on my Python skills.

The simplicity of Phantom’s app and playbook model will make it easy for us to add new functionality at a quick pace. Once we’ve added assets and actions, users just have to drag and drop the ones they want to integrate. They can quickly set up new automated workflows based on any data available to them from ExtraHop, and any actions available from their firewall, CMDB, threat feeds, and any other security products they have also integrated with Phantom.

Agile Automation Is Better For Business

As I began building our Phantom app I was faced with the same question that many security teams have to answer when they set out to automate their workflows: what, exactly, should we automate?

Many security teams stall out at this phase, because it is a daunting question. Most automation projects require writing custom code to tie applications and data sources together with little guarantee that the resulting program will deliver the desired result. For example, a security team might want to automate the process of labeling a particular laptop as “suspicious” after detecting anomalous behavior.

To automate this process without ExtraHop or Phantom, this team would need a way to detect the suspicious behavior. Then they’d have to decide the best way to tag the device or user. That could involve alerting their CMDB or Active Directory team, or even quarantining the device via a firewall. Automating any of those possible steps would likely require custom code, which would need to be tested, deployed, and maintained. That’s a lot of work for a single automated use case, so the team has to decide ahead of time which use cases they’re willing to put that effort into, at the opportunity cost of other potentially valuable projects.

Phantom and ExtraHop go a long way toward eliminating this problem. Phantom’s playbooks are drag and drop. Once you have a data source (or asset) and an action set up, you can conduct easy, low-cost experiments, making it much easier to create a customized automation and orchestration solution for whatever your organization needs.

To me, this is one of the biggest advantages of the ExtraHop and Phantom integration going forward. The ability to quickly, inexpensively iterate over different workflows removes the main burden that stops many organizations from automating at all.

The Wrap Up

The first ExtraHop app for Phantom (publishing soon!) will make it simple for customers to automatically tag devices for more intensive monitoring based on their behavior. This is a small step towards a future of simple security workflow automation that is going to be absolutely vital as the scale and complexity of security threats grow and the difficulty of hiring quality staff intensifies.

If you have ideas or requests for useful functionality that ExtraHop and Phantom could provide, we’re available on the Phantom slack channel, so just shoot a message to “@Dan at ExtraHop” in phantom-community.slack.com.

Watch this space for further updates on the ExtraHop and Phantom integration. We’ll be publishing our app soon, and adding further functionality to allow ExtraHop to be a foundational data source for useful Phantom playbooks.